Speed of hackers to crack passwords shows weakness of security scheme used by LinkedIn, researchers say

More than 60% of the unique hashed passwords that were accessed by hackers from a LinkedIn password database and posted online this week have already been cracked, according to security firm Sophos.

It's very likely the remaining passwords have also been cracked, said security researcher Chester Wisniewski late Wednesday.

In all, a total of 6.5 million hashed password believed to belong to LinkedIn members was posted on a Russian hacker forum earlier this week. The crooks posted the data in an effort to get help in cracking the passwords.

Sophos said it identified about 5.8 million hashed passwords as unique.

Based on an analysis of the 118MB password dump, Wisniewski said close to 3.5 million of the unique passwords had been cracked and made available in plain text by late last night. It's only a matter of time before the remaining passwords are similarly cracked using automated password guessing tools, he added.

The speed at which so many hashed passwords were cracked underscores the weakness of the passwords protection scheme used by LinkedIn, Wisniewski said.

The breached LinkedIn member passwords were all hashed, or masked, using a hashing protocol known as SHA-1.

Though SHA-1 offers a degree of protection against password cracking attempts, the protocol is by no means foolproof.

Therefore, many organizations theses day use a process known as salting -- where a random string of characters are appended to a password before it is hashed-- to make password cracking much harder. The process ensures that even if two passwords are identical, their hashes will be unique.

Salting is considered something of a best practice for protecting passwords, especially those used by employees of large companies.

That LinkedIn apparently chose to protect passwords using just SHA-1 is disappointing, Wisniewski said. "They chose a moderate security method. For an organization as large as LinkedIn, I would expect better," he said.

The worst policy for companies is to store passwords in clear text, experts say.

Storing them in hashed form with no salting is nearly as bad, considering the availability of SHA-1 hash cracking tools, Wisniewski said. Tables that contain pre-computed hashes for billions of passwords are easily available. Almost anyone can use these tables to decrypt almost any SHA-1 hash and recover it in plain text in in a matter of minutes.

In response to widespread reports about the breach, LinkedIn yesterday admitted that "some" of its passwords might have been compromised. So far, the company has not indicated how the breach occurred or how many passwords may have been compromised.

In a carefully worded blog post LinkedIn director Wednesday Vicente Silveira said that the company had disabled all the compromised passwords and was instructing affected members how to access their accounts to reset their passwords.

In the post, Silveira said that LinkedIn has implemented salting to protect newly updated passwords and also passwords that have not been compromised.

"It is worth noting that the affected members who update their passwords and members whose passwords have not been compromised benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases," Silveira had noted.

The wording is a bit puzzling because it suggests that LinkedIn has salted or is salting existing passwords hashes, Wisniewski said.

Salting is done before a password is hashed. Once a password has been hashed there is no way it can then be salted, he said. Unless LinkedIn had implemented salting before the breach the only way it can salt hashes at this stage is to get everyone to update their passwords, he said.

There is no evidence yet that the email addresses associated with each password have been accessed by the hackers. But it is very likely that they have been, he said. Usually passwords are stored in the same database as other account details.

Sophos' analysis of the breached passwords uncovered another familiar malaise -- the longstanding tendency of users to have easily guessable passwords.

Passwords found in the dump include 'linkedin', 'linkedinpassword', 'p455w0rd' and 'redsox', the company said in a blog post. Other examples included 'sophos', 'mcafee' and 'symantec.'

Weak passwords have long been the of enterprise security.

Though analysts have long advocated the use of strong password and passphrases for controlling access to critical applications and data, many companies and employees have continued to use weak, or default passwords. Often, the same password is used to control access to multiple accounts.

Trustwave SpiderLabs recently analyzed over 2.5 million passwords used within enterprises and discovered that variations on the word "password" made up more than five% of passwords -- most common password used by global businesses was "Password1" because it satisfies the default Microsoft Active Directory complexity setting, the company noted.

"It is important for all users of [LinkedIn] to immediately change their password, not just on LinkedIn, but any other social network where the same password has been used," Trustwave security researcher Nicholas Percoco said via email. "Perhaps more importantly however, users should also change any passwords to their corporate networks where they have used the same password."